8827 - discussion

* validate urls before changing anything in Provider.define()
* save private key and vpn cert after login/signup

1 files changed, 21 insertions, 3 deletions

diff --git a/app/src/main/java/se/leap/bitmaskclient/Provider.java b/app/src/main/java/se/leap/bitmaskclient/Provider.java
index 4d608222..e53dd4fb 100644
--- a/app/src/main/java/se/leap/bitmaskclient/Provider.java
+++ b/app/src/main/java/se/leap/bitmaskclient/Provider.java
@@ -141,9 +141,27 @@ public final class Provider implements Parcelable {
         }
     }
 
-    public void define(JSONObject providerJson) {
-        definition = providerJson;
-        parseDefinition(definition);
+    public boolean define(JSONObject providerJson) {
+       /*
+        * fix against "api_uri": "https://calyx.net.malicious.url.net:4430",
+        * This method aims to prevent attacks where the provider.json file got manipulated by a third party.
+        * The main url should not change.
+        */
+
+        try {
+            String providerApiUrl = providerJson.getString(Provider.API_URL);
+            String providerDomain = providerJson.getString(Provider.DOMAIN);
+            if (getMainUrlString().contains(providerDomain) && providerApiUrl.contains(providerDomain  + ":")) {
+                definition = providerJson;
+                parseDefinition(definition);
+                return true;
+            } else {
+                return false;
+            }
+        } catch (JSONException e) {
+            e.printStackTrace();
+            return false;
+        }
     }
 
     protected JSONObject getDefinition() {